Contribute to internal phishing detection of Thunderbird

lieser / dkim_verifier

DKIM Verifier Extension for Mozilla Thunderbird

MIT License

203 stars 34 forks source link

Contribute to internal phishing detection of Thunderbird #158

Open ale5000-git opened 5 years ago

ale5000-git commented 5 years ago

I would like if the plug-in would contribute to the internal phishing detection of Thunderbird, an e-mail with wrong DKIM is more likely phishing where the opposite not.

I'm not sure how it is working in Thunderbird but it would be nice to have something like +1 point when DKIM pass and -1 point when DKIM fail to contribute to the already inplace detection.

Meybe the plug-in could offer an API that when called return:

More likely positive
More likely negative
Unknown status

An then the API could be used by Thunderbird if available.

lieser commented 5 years ago

an e-mail with wrong DKIM is more likely phishing where the opposite not.

I don't agree. All spam/phishing I received so far had either no or a valid DKIM signature (from some domain in control of the attacker).

On the other hand, there are genuine e-mails with a broken DKIM signature, especially if received via an e-mail list.

For me DKIM has only value, if there can be made a (trustworthy) association between the signing domain, and the entity the e-mail claims to be from.

+1 point when DKIM pass and -1 point when DKIM fail

Given the reasons above, I don't think adding something simple like this would add much value to the spam filter, if any at all.

One could potentially use the already included white list of trusted domains at the moment used for showing the favicons. But this would only help in avoiding false positiv spam, and not in detection spam in general. So I currently don't see there enough value being added to justify the work needed to implement this.

tbertels commented 1 year ago

Something the extension could do is check if the DKIM domain is the same as the sender's email address domain.

If the DKIM isn't valid or if the sender's email address domain is different, the sender's email address could be highlighted in red or something and a warning icon could be shown. That way, the user would be more cautious with the email. If not, a green icon could be shown instead. This is because many phishing emails obviously don't use DKIM, so the user would learn, for important emails, to check if the DKIM exists and is valid.

~~For e-mail lists (not a frequent use case for most users), the list email could be checked instead of the sender's email.~~

Note that it may be best to just show a green icon for messages where the sender's email is on the same domain as the DKIM and not show any warning otherwise.

Update: There's actually an option in Display in the left panel (didn't notice that panel) to highlight the sender's email address based on DKIM.

lieser commented 1 year ago

Note that this issue is about automatically contribute to Thunderbird's own spawn detection. Without the addon making any changes to the GUI. Making it easier for user to manually identify spam via e.g. the visual clues you are suggesting would be better tracked in a new issue.

if the sender's email address domain is different, the sender's email address could be highlighted in red or something and a warning icon could be shown.

It should already produce a warning if the from address is not included in the signing domain. And for mailing list sign rules can be used to disable this https://github.com/lieser/dkim_verifier/wiki/Sign-rules#disable-from-is-not-in-signing-domain-warning.